FAQ: The Eventlog of Windows

A 1: Everytime something is printed, an entry is written in the system log, stating that the printing went ok. But since this NT machine is a printer server. my system log fills up very fast and I have to clean it every day. Is there a way to disable this so that no entry is made in the eventviewer?

To HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Providers, add the following entry:

Name: EventLog
Type: DWORD
Value: 0

There is no need to reboot, but you will have to stop and restart the spooler from services in Control Panel.

A 2: Is there a problem with NT 3.51/4 recording of events? I am showing the next user loging in before the last user is logged out.

AFAIK, it is a known bug in all versions of NT. Have a look at Microsoft's KB article Q146880. Though they state the bug was removed with the latest 3.51 Service pack, in reality it still seems to be there.

A 3: When I change the maximum size of a log, how big will it grow? The log is in "Never overwrite" mode. The maximum log size was 256 KB. I changed it to 1024 KB. Later I decided 512 KB is enogh and changed it again. The current log size is only 128 KB.

I depends ;-)
If you don't reboot, the logfile will grow to 1024 KB. If you do reboot before the log is greater than 512 KB, it will grow to 512 KB. If you do reboot when the log is greater than 512 KB, it will fill until all space is used and not grow further. (The log always grows in chunks of 64 KB. If a chunk is full, the next chunk will be assigned for the log file.) Rebooting has the same effect as clearing the entries, by the way. If you want predictable results, the only way is to clear the log after changing some of it's settings! If you use Elwiz to change the log settings in your network, it can save and clean the log automatically, by the way.

Yes. If the log is in "Overwrite" mode and it is full (so overwriting really takes place), you can increase the size of the log as much as you want, it will not grow any more until the log is cleaned! If you want predictable results, the only way is to clear the log after changing some of it's settings!

A 4: I have a machine with all logs set to a maximum size of 512 KB. The application log is only 256 KB but every time I reboot, NT tells me it is full. Both Elwiz as well as the standard Eventviewer tell me it's maximum size is 512 KB. Both Elwiz as well as Explorer tell me the file size is 256 KB so why does the eventlog service refuse to log more application events? Instead it tells me the log is full?!?

Are you sure nobody changed the log settings after the log was cleared the last time? Your experience is reproducable:

1. Put the log in overwrite mode.
2. Set the maximum size to 256 KB.
3. Clear it.
4. Fill it, until overwrite takes place. (Elwiz will say "0 % empty")
5. Change the settings to "Never overwrite"
6. Increasing the maximum log size won't have any effect now! (until the log is cleared, even reboot won't help in this case)

The standard eventviewer will not warn you about this unexpected behaviour (though it does warn when you decrease the log size). If you want predictable results, the only way is to clear the log after changing some of it's settings!

A 5: The documents say if I set CrashOnAuditFail to 1, the machine will crash when the security log becomes full and only Admins are allowed to login after this has occurred. Does this setting has any influence if the system or application log is getting full?

No, CrashOnAuditFail does only have any effect on the security log.

A 6: Checking a security log I saw something odd: The end of a process was logged after it's begin but with an earlier timestamp. How is this possible?

Probably somebody did change the system time.

I do not know why they missed it for so long. But in NT 5.1 (aka WXP) there is the new Security event 520, which does report changes of the system's time.

A 7: Where does security event 642 with user Anonymous come from?

NT uses the Anonymous account for some of its own activities, for instance changing machine passwords. If, for instance, Target Account Name looks like SERVER2$, the PDC probably did change the password of the machine account of SERVER2. By default it changes the password of every machine belonging to the domain once a week, generating such an event.
But even changing a password of a normal user account might occur under the Anonymous account - for instance when an expired password is changed during logon. More interesting details are available in answer 23.

A 8: I get a lot of event log IDs 528, 538 (users logging on and off). First comes a 528 (logon) followed later by 538 (logoff). I know the user is not logging off...

Check the logon type in the events.

• If it is 2 (Interactive logon), it is the old bug described in Microsoft's KB article Q146880.
• If it is 3 (Network logon), so it is a network logon/logoff. Such an event occurrs, if a user connects to a share, for instance. There is also a setting on the server called "Autodisconnect if a session is idle more than x min", with a default of 15 min. So even if a user is connected to a share for hours, you can get a lot of such events because the server will disconnect after the idle time and reconnect if the share is accessed the next time. This is transparent to the user.
• If the logon type is 4 (Batch logon) is only logged on NT 4 if you have the new scheduler installed, which comes with IE 5. This new scheduler logs logons and logoffs of it's tasks, because each task may run under a different account. The native NT 4 scheduler did run all tasks under the account itself was running, therefore no one needed to logon when a batch job started.

The easiest way is to use the command
NET CONFIG SERVER /AUTODISCONNECT:Minutes Somebody reported this behaviour when perfmon.exe is run across the network. In some cases this program is reported to open and close a connection every time it collects data, which can be very often. I could not reproduce this behaviour, though.

A 9: Are there any known bugs with the Security event logging of NT?

Event logging as implemented in NT 4.0 is far away from beeing flawless. Some examples:

• Security event 513 is documented, but never gets in NT prior to version 5.
• Certain events should only occur in pairs, for instance, for every start of a program there should be an end. But even if the machine runs for month' without shutdown, you will find the following strangenesses:
  • There are less Security events 538 than 528 logged (should be the same number, in theory).
  • Login failures of the screen saver (Login type 7) are logged with the wrong type 2.
  • There is only an event 528 type 7 logged when the screen saver is canceled, but no event finds its way into the logs when it is sarted.
  • There are less Security events 562 than 560 logged (should be the same number, in theory).
  • There are less Security events 593 than 592 logged (should be the same number, in theory).
• Logging of Security event 592 sucks (for more info see the documentation for R592E.zip)
• Some more security events are documented for many years, but they were first implemented in NT version 5 (for more info see Microsoft's KB article Q173059)

A 10: Are there any known bugs with the Print event logging of NT?

Some examples of known bugs are:

• If printed from DOS programs, Windows NT is not able to recognize, how many pages were printed. The same is true for the redirection of the output of command line utilities at the DOS prompt. Independently of the amount of the printed pages 0 pages are reported in these cases.
• Often only the number of different pages which were printed during a job is reported. So if more than one copy of a document is printed, the logfile reports the wrong number of pages. If somebody starts a job to print 10 copies of a document that consists of 3 pages, for instance, only 3 pages will be reported as printed in the eventlog! It seems the software that generates the print job is the culprit. So "Microsoft WinWord 7.0" reports the wrong number of pages, but "Microsoft Write" reports it correct.
• You will encounter another problem if you have machines with any kind of DOS based Windows (3.11 or 9x) on your LAN. If somebody prints from such a machine, NT always will report the wrong number of pages (zero) but the correct number of bytes printed.

A 11: I recently experienced a significant slow down on my NT 4.0 workstation and discovered that my application event log was overflowing. I cleared it and noticed an almost immediate improvement with several applications. What caused my event log to get so big? (We had the log overwrite parameter set to 7 days and still had several months of log activity.)

Events were only overwritten if the log is full, they must be at least seven days old in your case, but if the log isn't full after 3 month, these old events still will reside in the logs until their disk space is needed for new events.

A 12: I'm trying to read the Security Event log and it seems that certain successful logons generate double entries in the log. These entries can have either the exact same time or very close -- a second or two apart.

Check the logon type in the events. One event 528 should have logon type 2, that is your interactive logon. If you connect to one or more shares during logon, there should be another event 528 with logon type 3 (network logon) on every machine you connect to. This type of event is always created when connecting to a share, even if the share is on your local machine - it looks like a double logon on a first glance.

A 13: All the sytem and the services work properly but only users that belong to Administrators Group can 'log on locally' or 'access this computer from network' although we have correct rights set in User Manager - Policies - Users Rights.

This one doesn't look like it has something to do with event logging, right? But the reason for your problem is probably:

• Security eventlog was full
• CrashOnAuditFail was set to 1, now it will be set to 2

The easiest way to check and reset this registry value is using Elwiz - it works via the network, too.

A 14: Who can access the Security log?

As so often in life - it depends ;-)
To be more specific, it depends on the version of the file %systemroot%\system32\eventlog.dll.

• If this file is from 1997 or earlier, all members of the Administrators group do have access to the Security log, regardless of assigned privileges.
• If this file is from 1998 or later, only accounts with the privilege "Manage auditing and security log" do have access to the Security log, regardless of their group membership. In Microsoft's KB article Q142615 you can read how to get the update - currently it doesn't look like it is available for free.

A 15: Who can access the other (System, Application) logs? Any ideas to stop domain users from viewing these other event logs on a server?

• You can restrict Execute permissions on eventvwr.exe for these users. But if you want to allow them to view the local logs but not the logs on the server, you will have a problem, because eventvwr.exe will open all but the security logs on the server for them.
• You can set a Registry value for each log:
  Path: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog\System
   and: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog\Application
  Type: REG_DWORD
  Name: RestrictGuestAccess
  Setting this value to 1 will do what its name suggests.
• You can try Elwiz, it will look for the evt file permissions and only open logs where the user does have Read permissions.

A 16: Is it possible to use the eventlog to log Security events to another server, in real time? From a security perspective, the ability to read eventlogs from remote machines is useless; they may have already been modified.

Currently this is not possible with NT. But you should have in mind the following:

• If you are a domain admin, you should take over all local admin accounts of the machines you are responsible for, and remove the rights to manage the Security logs from all local accounts. So nobody except domain admins can delete all these Security logs.
• The time of the deletion of the Security log is recorded, so you can easily check to see if somebody deleted some events since your last action.
• Away from deleting the complete log file, it is nearly impossible to manipulate log entries. In theory somebody could use some tricks like disk editors, injected threads or running another operating system. But if somebody is able to do this, he could also use these techniques to manipulate the data he wants to tamper with directly, without creating a log entry and the need to manipulate this entry afterwards.
• The possibility to log events to another machine won't give you a total reliability of the eventlog data, either. The attacker could still do what he wants to hide, he only has to pull the network cable first, simulating a crash of his machine:
  1. In case Security event 529 would be written to the DC, you would assume all 529 were written to one of the DCs, right?
  2. So you would assume checking all DCs is enough when searching for failed logon attempts.
  3. What when a user A tries to use the account of his colleague B, which just logged off the ws? User A pulls the network cable and tries some passwords for account B.
  4. If he finds the right password, lets say in the 3rd try, he gets logged on as B with the cached credentials of B. No 529 is logged on a DC, because there was no network connection.
  5. If A needs a week to find the password of B with hundreds of failed attempts, you still have not a single 529 logged on any DC!
• So you would assume that all users behave well on your network, because you rely on the logs of the DCs. And you would be totally wrong!

BTW, the online watching of critical events is possible without the need to copy the complete Security log to another machine, I of course suggest the program Elwiz for this task ;-) If a network connection to a machine in the watchlist was broken, Elwiz will check all events which occurred in the meantime when the connection is up again.

A 17: Is it possible to have different Audit policies on BDCs and the PDC of a domain?

Yes, but it makes not much sense. You should be aware of the fact that any change of the audit policy of the PDC will become replicated to all BDCs of the domain. Early versions of Elwiz did allow to set different audit policies for every domain controller. But because of the replication issue, Elwiz 3.x does not allow to set the audit policy of a BDC directly.

A 18: Are there any books dedicated to Windows NT Event Logging?

Currently I do only know one book titeled Windows NT Event Logging ;-)

A 19: I'd like to use a Perl Script instead of EventSave. Where can I find one?

Charlie Bernstein published his Perl-Script. The script itself just cycles the log files. It was designed to be used in conjunction with a batch file to place them where you want them to go.

A 20: Is it possible to merge for instance all failed logon events of the domain into one eventlog file? Or do I really need to scan all logs of all workstations to get this info completely?

• All the tools out of the collection Report Event for Windows NT have the built-in option to scan the log files of all machines which are saved into the same directory within one run. Nevertheless it might be quite useful to collect the interesting events from different machines into one file. For this reason the tool MER exists as part of Report Event for Windows NT.
• The program Elwiz will alert you when important events happen. All events which created alerts will be copied into an extra evt file and brought to your attention by Elwiz. You even have the possibility to create filter rules which summarize multiple events. For instance, you could create a filter rule that summarizes all events 529 which happened within one minute in your network into a single event record.

A 21: What can I do to shut off the log generation process? In many cases I don't need them anyway.

Disable the eventlog service. But I don't recommend it!
If you are running an NT machine at home, you do not need to bother about security events, but you should have in mind the following: Event logging still can be very useful, for instance, it will warn you if your hard disk will die soon! So I would prefer to only disable all security events in User manager | Policies | Audit and let the eventlog service still alive.

A 22: Some of my event logs show the time of the events with an offset of one hour

Probably you have enabled "Automatically adjust for Daylight Savings changes" in Control Panel? NT always uses GMT for the timestamps of eventlog events. This is the reason for the shift of the times reported in the eventlogs every spring and autumn. It works as documented in KB article 129574. If you don't like it, switch "Automatically adjust for Daylight Savings changes" off.

A 23: Event 627 shows that NT AUTHORITY\ANONYMOUS is trying to change an user's password. I got a Target Account Name but no Caller User Name.

This kind of event with no Caller User Name is logged when the password is expired and the user tries to change it during logon. Event 627 can be of type Success or Failure, depending on the result of the activities of the user. In case you are interested to know on which machine the user tried to change the password, the log on the server won't tell you much. You have to walk through all Security logs of all workstations and look for an event 537 created shortly before the 627 was logged on the server with the same user name.

A 24: I can't figure out why the occassional week shows a "hole" (no events recorded)

How full are your logs? Elwiz will tell you how many percent of the maximum size are used.
In case you have choosen "overwrite after 7 days", for instance, and the logs are becoming full after 3 days, the next 4 days no events can be logged.

A 25: I am accused of a license violation, but did nothing illegal! An event 26 in the System log claims I would have tampered with the product type, but this is not true!

Have you, by chance, switched on auditing for parts of your Registry? In case you activated auditing for
HKLM\System\CurrentControlSet\Control\ProductOptions\ProductType and/or
HKLM\System\Setup\SystemPrefix
you will get this stupid event. It appears Microsoft interprets auditing these keys as illegal for some reason.

A 26: Is there software that allows a person to access the event logs and make deletions to individual log entries?

The question is: Do you mean
(A) the active eventlog files used by the system or
(B) eventlog files already saved and no longer used by the system?

(A) - Because the eventlog service opens these files with exclusive access, you need do break the eventlog service first, in order to be able to access the log files. In September 2000 Arne Vidstrom posted a program called WinZapper. It did break the eventlog service without shutting it down. After this is done, there is no difference to case (B). BTW, you need to be admin to run WinZapper.

(B) - This is possible. You just copy the entire eventlog into another file, and skip the records you want to delete. It is possible to use MER, in case you want to remove for instance all entries with a certain Event ID.

A 27: Why should I rename the admin account? An attacker can find out the name of the real admin account anyway

If you rename the Administrator account and create a guest account called "Administrator", you might catch users or novice script kiddies attempting to access your system.  If you see attempted logins on your dummy Administrator account you immediately know that something is happening that shouldn't be.

A 28: How do I save an eventlog file into an ASCII file?

• If you want to do it with a GUI program, I suggest Elwiz, which does allow to filter the records as well as the fields you want to save.
• Starting with NT 5.0 (aka Windows 2000) you can use the event viewer. But this program does ignore any filter you did set when it exports events into text files.
• If you want to do it with a command line program, I suggest dumpel from the Ressource Kit.

A 29: Does NT log remote interactive logons?

This depends from the application you are using:

• Some programs, like rcmd.exe from Microsoft's Ressource Kit, allow interactive remote logons, which will not become logged at all.
• Other programs, like psExec.exe, log the remote connection as type 2 (interactive logon).

A 30: Is there anyway that you can find out how full (percentage) an eventlog is using API calls?

No, you need to write your own function, like I did in Elwiz.

A 31: Where can I obtain a complete list of Windows Event Identifiers?

I am not sure whether it is complete, but under http://www.microsoft.com/WINDOWS2000/techinfo/messages/default.asp you can download a self extracting csv file for Windows 2000.
Q174074 lists the Security events for NT until version 4, the Windows 2000 FAQ has it formatted nicely.

A 32: I'm an administrator on a NT wan, with several users with admin rights. Is there a tool available that will log what changes are made to the user accounts, and to the servers themselves ?

The built in eventlog service allows you to watch changes on user accounts, Security policies, and so on.
But when there are lots of admins, you should not trust the logs too much, because every admin is able to change the audit policy. An admin could switch off some auditing, change something, and switch it on again, so you won't find much in the logs afterwards.

A 33: My secuity logs are filled with failed logon events 529 for account MACHINE$, one every few seconds.

Looks like the password of MACHINE is out of sync with the DC. Usuallay removing the machine MACHINE from the domain and rejoining it will help.

A 34: Why are no events 592 and 593 logged when a 16 bit application is run?

592 and 593 events will be logged only for 32 bit applications.
If you want to audit the execution of 16 bit applications, you have to audit object access. In the 560 Security events you than have to search for such events with Access: Execute

A 35: What do I need to audit when I want to log reliably only the changing of file permissions?

You need to audit
Change Permissions:  Success and Failure
preferably for everyone.

But you should know that, if someone turns off this auditing settings and changes the permissions afterwards, no events are logged.
The only way to detect changes over the auditing settings seems to be to enable the auditing of successful Write events. Only this way, you get an event when the auditing is turned. But obviously this configuration causes the log to get full in a short period of time.

The reason seems to be that audit settings are written together with the files. It would, of course, be nice to be able to audit only security related actions reliably.

A 36: Are there problems with auditing of the Registry root keys?

On important machines it might be useful to know when someone wants to connect to the file system or Registry of the machine. Connecting to the Registry of a computer over the network always involves connecting to one of the root keys HKEY_LOCAL_MACHINE or HKEY_USERS first. So you could enable the security policy auditing object access and you could add an audit entry in the properties of both root keys.

The problem is: After you reboot the computer, it has lost its audit settings for both root keys of the Registry. This is a problem of all current versions of Windows.

Workaround: Put a RegAudit command for recreating the audit entries into the startup script of the machine. 

A 37: Which events will be logged during local logon and logoff?

During logon event  528 wll be logged. Logon type 2 means it is an interactive logon.

After the end of the logout procedure event 538 wll be logged. But when the user shuts down his machine during logoff, the eventlog service will be shut down as well. Depending on what is faster, the eventlog service might not be available when the user finally is logged off, so event 538 can't be logged at all in this situation.

For this reason, starting with Windows XP and Windows 2003 event 551 was introduced. This event will be logged at the start of a logout procedure, and only for interactive sessions. In a modern version of Windows relevant events will be seen in the following order:

Logon: 528

Start of logoff: 551

End of logoff: 538 (probably only when the machine was not shut down)

 

A38: What does, for instance, the Logon ID (0x0,0x3E5) mean?

(0x0,0x3E5) is used by services which run under the account LOCAL SERVICE.
(0x0,0x3E4) is used by services which run under the account NETWORK SERVICE.
Other accounts use different Logon IDs each time thy log on. The numbers increase with the uptime of the machine, but there seems to be no clear relationship between both.

 

A39: Did, with the new event log from Windows Vista, all problems inherent to earlier versions go away?

Sure not. Even under Vista there are events whose construction is not ideal:

• Well known are the events of the sorce Dr. Watson in older versions of Windows, where the entire plain text is witten to the event as binary data. The result is that you can't view the content very well with the event viewer of Windows (in contrast to Elwiz ;-).
  For unknown reason we find such events in Vista, too. For instance, in the System log, there is event 6013 (respectively 1917) of the source Eventlog. It contains plain text data which is saved as binary data, making it difficult to read even in the so called "Friendly View" of Event Viewer.
• It makes sense to save only the changing part of the information in the event and format it with a string saved outside the eventlog to readable text when viewed. This prevents you from unnecessary large log files with lots of redundant information.
  When you, for instance, clear the Security log in Vista, an event 1102 of the source Eventlog with 4 parameters will be created: SID, Account name, Domain name, and Logon ID of the user. Event Viewer shows this information as a nicely formatted sentence in the General View.
  But when you clear the System log in Vista, an event 104 of the source Eventlog with 4 parameters will be created: Account name, Domain name, Channel and (if the events have been saved during clearing) the name of the backup file. For unknown reason, Event Viewer does not show this information in the General View.
• I don't know why in the Security log Vista does not save the name of the backup file you create when you "Save and Clear" the log. It is possible in the System log, but why not in the Security log?